Merge pull request #1 from ggjulio/renovate/configure

chore: Configure Renovate

.github/dependabot.yml

@@ -33,8 +33,7 @@ updates:
       interval: "daily"
     ignore:
       # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause
-      # drift among those files.
-      # Use `make update-go` and `make update-node` to update these versions.
+      # drift among those files, instead we let renovate bot handle them.
       - dependency-name: "library/golang"
       - dependency-name: "library/node"
 

.github/workflows/ci-build.yaml

@@ -13,6 +13,7 @@ on:
 
 env:
   # Golang version to use across CI steps
+  # renovate: datasource=golang-version packageName=golang
   GOLANG_VERSION: '1.23.1'
 
 concurrency:
@@ -110,7 +111,8 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
-          version: v1.61.0
+          # renovate: datasource=gomod packageName=golangci/golangci-lint extractVersion=^v(?<version>.+)$
+          version: v1.60.0
           args: --verbose
 
   test-go:
@@ -305,6 +307,7 @@ jobs:
       - name: Setup NodeJS
         uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
+          # renovate: datasource=node-version packageName=node
           node-version: '22.8.0'
       - name: Restore node dependency cache
         id: cache-dependencies

.github/workflows/image.yaml

@@ -52,6 +52,7 @@ jobs:
     uses: ./.github/workflows/image-reuse.yaml
     with:
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: false
@@ -68,6 +69,7 @@ jobs:
       quay_image_name: quay.io/argoproj/argocd:latest
       ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: true

.github/workflows/release.yaml

@@ -10,6 +10,7 @@ on:
 permissions: {}
 
 env:
+  # renovate: datasource=golang-version packageName=golang
   GOLANG_VERSION: '1.23.1' # Note: go-version must also be set in job argocd-image.with.go-version
 
 jobs:
@@ -23,6 +24,7 @@ jobs:
     with:
       quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
       push: true

Makefile

@@ -631,14 +631,6 @@ snyk-non-container-tests:
 snyk-report:
 	./hack/snyk-report.sh $(target_branch)
 
-.PHONY: update-go
-update-go:
-	./hack/update-go.sh
-
-.PHONY: update-node
-update-node:
-	./hack/update-node.sh
-
 .PHONY: help
 help:
 	@echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant'

hack/installers/install-lint-tools.sh

@@ -1,4 +1,7 @@
 #!/bin/bash
 set -eux -o pipefail
 
-GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/[email protected]
+# renovate: datasource=gomod packageName=golangci/golangci-lint
+GOLANGCI_LINT_VERSION=1.60.0
+
+GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}"

renovate.json5

@@ -0,0 +1,58 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "baseBranches": [ "dev"], // just to test without poluting my fork
+  "dependencyDashboard": false,
+  "dependencyDashboardApproval": false, // set to true to ask an approval before creating a PR.
+  "dependencyDashboardOSVVulnerabilitySummary": "all",
+  "osvVulnerabilityAlerts": true,
+  "reviewersFromCodeOwners": true,
+  // "timezone": "Europe/Paris", // used by features like scheduling...
+  "extends": [
+    // "schedule:nonOfficeHours", // https://docs.renovatebot.com/presets-schedule/#schedulenonofficehours
+    "config:best-practices",
+    "security:openssf-scorecard",
+    "mergeConfidence:all-badges",
+    "regexManagers:dockerfileVersions", // https://docs.renovatebot.com/presets-customManagers/#custommanagersdockerfileversions
+    // TODO change shared presets with a repo like `argoproj/renovate-presets`
+    "github>ggjulio/renovate-presets//fix/openssf-merge-confidence-columns.json5",
+    "github>ggjulio/renovate-presets//custom-managers/shell.json5",
+    "github>ggjulio/renovate-presets//custom-managers/yaml.json5",
+  ],
+  "packageRules": [
+    // Prefer presets over creating rules in that file as it we become hard to read.
+    {
+      "description": "Disable all updates to avoid conflicts with dependabot, then enable what we want",
+      "matchPackageNames": [
+        "*"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Add label dependencies to all PRs",
+      "matchPackageNames": ["*"],
+      "labels": ["dependencies"]
+    },
+    {
+      "description": "Enable golang-version",
+      "matchDatasources": ["golang-version"],
+      "addLabels": ["go"],
+      "enabled": true
+    },
+    {
+      "description": "Enable node-version",
+      "matchDatasources": ["node-version"],
+      "addLabels": ["javascript"],
+      "enabled": true
+    },
+    {
+      "description": "Reduce noise by automerging pkgs that are safe to merge, TBD",
+      // Just an example, multiple match fields can be used to reduce the scope of this rule (matchFileNames, matchManagers, matchPackageNames...)
+      "matchUpdateTypes": [
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": false // change to true ?
+    }
+  ]
+}